* [warrior][PATCH v2] patch: fix CVE-2019-13638
@ 2019-08-08 14:26 Trevor Gamblin
2019-08-08 20:16 ` Randy MacLeod
0 siblings, 1 reply; 3+ messages in thread
From: Trevor Gamblin @ 2019-08-08 14:26 UTC (permalink / raw)
To: openembedded-core
From: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
---
...ke-ed-directly-instead-of-using-the-shell.patch | 44 ++++++++++++++++++++++
meta/recipes-devtools/patch/patch_2.7.6.bb | 2 +
2 files changed, 46 insertions(+)
create mode 100644 meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
diff --git a/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
new file mode 100644
index 0000000..f60dfe8
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
@@ -0,0 +1,44 @@
+From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 6 Apr 2018 19:36:15 +0200
+Subject: [PATCH] Invoke ed directly instead of using the shell
+
+* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
+command to avoid quoting vulnerabilities.
+
+CVE: CVE-2019-13638
+Upstream-Status: Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0]
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+
+---
+ src/pch.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+
+diff --git a/src/pch.c b/src/pch.c
+index 4fd5a05..16e001a 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname,
+ *outname_needs_removal = true;
+ copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+ }
+- sprintf (buf, "%s %s%s", editor_program,
+- verbosity == VERBOSE ? "" : "- ",
+- outname);
+ fflush (stdout);
+
+ pid = fork();
+@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname,
+ else if (pid == 0)
+ {
+ dup2 (tmpfd, 0);
+- execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++ assert (outname[0] != '!' && outname[0] != '-');
++ execlp (editor_program, editor_program, "-", outname, (char *) NULL);
+ _exit (2);
+ }
+ else
+--
+2.7.4
+
diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb
index 85b0db7..8908910 100644
--- a/meta/recipes-devtools/patch/patch_2.7.6.bb
+++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -6,6 +6,8 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
file://0003-Allow-input-files-to-be-missing-for-ed-style-patches.patch \
file://0004-Fix-arbitrary-command-execution-in-ed-style-patches-.patch \
file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
+ file://CVE-2019-13636.patch \
+ file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
"
SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"
--
2.7.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [warrior][PATCH v2] patch: fix CVE-2019-13638
2019-08-08 14:26 [warrior][PATCH v2] patch: fix CVE-2019-13638 Trevor Gamblin
@ 2019-08-08 20:16 ` Randy MacLeod
2019-08-23 19:46 ` Trevor Gamblin
0 siblings, 1 reply; 3+ messages in thread
From: Randy MacLeod @ 2019-08-08 20:16 UTC (permalink / raw)
To: Trevor Gamblin, openembedded-core, Armin Kuster
On 8/8/19 10:26 AM, Trevor Gamblin wrote:
> From: Trevor Gamblin <trevor.gamblin@windriver.com>
>
> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
> ---
> ...ke-ed-directly-instead-of-using-the-shell.patch | 44 ++++++++++++++++++++++
> meta/recipes-devtools/patch/patch_2.7.6.bb | 2 +
> 2 files changed, 46 insertions(+)
> create mode 100644 meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
>
> diff --git a/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
> new file mode 100644
> index 0000000..f60dfe8
> --- /dev/null
> +++ b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
> @@ -0,0 +1,44 @@
> +From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001
> +From: Andreas Gruenbacher <agruen@gnu.org>
> +Date: Fri, 6 Apr 2018 19:36:15 +0200
> +Subject: [PATCH] Invoke ed directly instead of using the shell
> +
> +* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
> +command to avoid quoting vulnerabilities.
> +
> +CVE: CVE-2019-13638
> +Upstream-Status: Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0]
> +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
> +
> +---
> + src/pch.c | 6 ++----
> + 1 file changed, 2 insertions(+), 4 deletions(-)
> +
> +
> +diff --git a/src/pch.c b/src/pch.c
> +index 4fd5a05..16e001a 100644
> +--- a/src/pch.c
> ++++ b/src/pch.c
> +@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname,
> + *outname_needs_removal = true;
> + copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
> + }
> +- sprintf (buf, "%s %s%s", editor_program,
> +- verbosity == VERBOSE ? "" : "- ",
> +- outname);
> + fflush (stdout);
> +
> + pid = fork();
> +@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname,
> + else if (pid == 0)
> + {
> + dup2 (tmpfd, 0);
> +- execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
> ++ assert (outname[0] != '!' && outname[0] != '-');
> ++ execlp (editor_program, editor_program, "-", outname, (char *) NULL);
> + _exit (2);
> + }
> + else
> +--
> +2.7.4
> +
> diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb
> index 85b0db7..8908910 100644
> --- a/meta/recipes-devtools/patch/patch_2.7.6.bb
> +++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
> @@ -6,6 +6,8 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
> file://0003-Allow-input-files-to-be-missing-for-ed-style-patches.patch \
> file://0004-Fix-arbitrary-command-execution-in-ed-style-patches-.patch \
> file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
> + file://CVE-2019-13636.patch \
> + file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
> "
Odd, you only added one patch but you changed two lines above.
I assume this is due to a merge conflict that you incorrectly resolved.
If you apply this commit on warrior, you see:
WARNING: patch-2.7.6-r0 do_fetch: Failed to fetch URL
file://CVE-2019-13636.patch, attempting MIRRORS if available
ERROR: patch-2.7.6-r0 do_fetch: Fetcher failure: Unable to find file
file://CVE-2019-13636.patch anywhere. The paths that were searched were:
Fix and v3 please.
../Randy
>
> SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"
>
--
# Randy MacLeod
# Wind River Linux
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [warrior][PATCH v2] patch: fix CVE-2019-13638
2019-08-08 20:16 ` Randy MacLeod
@ 2019-08-23 19:46 ` Trevor Gamblin
0 siblings, 0 replies; 3+ messages in thread
From: Trevor Gamblin @ 2019-08-23 19:46 UTC (permalink / raw)
To: Randy MacLeod, openembedded-core, Armin Kuster
[-- Attachment #1: Type: text/plain, Size: 4449 bytes --]
On 8/8/19 4:16 PM, Randy MacLeod wrote:
> On 8/8/19 10:26 AM, Trevor Gamblin wrote:
>> From: Trevor Gamblin <trevor.gamblin@windriver.com>
>>
>> Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
>> ---
>> ...ke-ed-directly-instead-of-using-the-shell.patch | 44
>> ++++++++++++++++++++++
>> meta/recipes-devtools/patch/patch_2.7.6.bb | 2 +
>> 2 files changed, 46 insertions(+)
>> create mode 100644
>> meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
>>
>> diff --git
>> a/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
>> b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
>>
>> new file mode 100644
>> index 0000000..f60dfe8
>> --- /dev/null
>> +++
>> b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
>> @@ -0,0 +1,44 @@
>> +From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001
>> +From: Andreas Gruenbacher <agruen@gnu.org>
>> +Date: Fri, 6 Apr 2018 19:36:15 +0200
>> +Subject: [PATCH] Invoke ed directly instead of using the shell
>> +
>> +* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
>> +command to avoid quoting vulnerabilities.
>> +
>> +CVE: CVE-2019-13638
>> +Upstream-Status:
>> Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0]
>> +Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
>> +
>> +---
>> + src/pch.c | 6 ++----
>> + 1 file changed, 2 insertions(+), 4 deletions(-)
>> +
>> +
>> +diff --git a/src/pch.c b/src/pch.c
>> +index 4fd5a05..16e001a 100644
>> +--- a/src/pch.c
>> ++++ b/src/pch.c
>> +@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const
>> *outname,
>> + *outname_needs_removal = true;
>> + copy_file (inname, outname, 0, exclusive, instat.st_mode,
>> true);
>> + }
>> +- sprintf (buf, "%s %s%s", editor_program,
>> +- verbosity == VERBOSE ? "" : "- ",
>> +- outname);
>> + fflush (stdout);
>> +
>> + pid = fork();
>> +@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const
>> *outname,
>> + else if (pid == 0)
>> + {
>> + dup2 (tmpfd, 0);
>> +- execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
>> ++ assert (outname[0] != '!' && outname[0] != '-');
>> ++ execlp (editor_program, editor_program, "-", outname,
>> (char *) NULL);
>> + _exit (2);
>> + }
>> + else
>> +--
>> +2.7.4
>> +
>> diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb
>> b/meta/recipes-devtools/patch/patch_2.7.6.bb
>> index 85b0db7..8908910 100644
>> --- a/meta/recipes-devtools/patch/patch_2.7.6.bb
>> +++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
>> @@ -6,6 +6,8 @@ SRC_URI +=
>> "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
>> file://0003-Allow-input-files-to-be-missing-for-ed-style-patches.patch \
>> file://0004-Fix-arbitrary-command-execution-in-ed-style-patches-.patch \
>> file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
>> + file://CVE-2019-13636.patch \
>> + file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
>> "
>
> Odd, you only added one patch but you changed two lines above.
> I assume this is due to a merge conflict that you incorrectly resolved.
>
> If you apply this commit on warrior, you see:
>
> WARNING: patch-2.7.6-r0 do_fetch: Failed to fetch URL
> file://CVE-2019-13636.patch, attempting MIRRORS if available
> ERROR: patch-2.7.6-r0 do_fetch: Fetcher failure: Unable to find file
> file://CVE-2019-13636.patch anywhere. The paths that were searched were:
>
> Fix and v3 please.
Patches are currently under review for both warrior
<https://patchwork.openembedded.org/patch/163490/> and thud
<https://patchwork.openembedded.org/patch/163495/> to add
CVE-2019-13636. Would it be better to hold off on submitting my patch
for CVE-2019-13638 to those branches, until the line
file://CVE-2019-13636.patch \
is incorporated as part of those?
>
> ../Randy
>> SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"
>>
>
>
[-- Attachment #2: Type: text/html, Size: 8241 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-08-23 19:47 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-08 14:26 [warrior][PATCH v2] patch: fix CVE-2019-13638 Trevor Gamblin
2019-08-08 20:16 ` Randy MacLeod
2019-08-23 19:46 ` Trevor Gamblin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.